Canada Post data breach affected 4,500 customers, OCS says

The Ontario Cannabis Store website is pictured on a mobile phone Ottawa on Thursday, Oct. 18, 2018. The Canadian Press placed 13 online orders on the afternoon of Oct. 17 of the cheapest available gram of dried flower in each province and territory available across the country - and three have still yet to arrive more than one week later. Sean Kilpatrick / THE CANADIAN PRESS

The Ontario Cannabis Store (OCS) says a data breach at Canada Post has caused some customers’ delivery information to be hacked.

In an email notice to customers, Patrick Ford, president and CEO of OCS said Canada Post notified them on Nov. 1 that about 2 per cent of customer orders, which is approximately 4,500 orders, was accessed by someone through Canada Post’s delivery tracking tool.

READ MORE: Ontario ombudsman receives more than 1,000 complaints over cannabis store

The OCS said that once they were made aware of the incident, they immediately engaged with the Office of the Information and Privacy Commissioners of Ontario about the breach.

They said they have been working with Canada Post to identify the cause of the issue and to prevent future incidents of breaches to customer privacy and information.

Story continues below advertisement

WATCH: Just weeks after recreational cannabis became legal to buy and sell, Ontario’s online system was exposed to a security flaw. Sean O’Shea reports.

Click to play video: 'Security Breach at Ontario Cannabis Store' Security Breach at Ontario Cannabis Store
Security Breach at Ontario Cannabis Store – Nov 7, 2018

“The OCS has encouraged Canada Post to take immediate action to notify their customers,” said the OCS in the email sent to customers. “To date, Canada Post has not taken action in this regard.”

In the notice, they state that a customer’s delivery information that might have been accessed in the breach includes: postal code, name or initials of the person who signed for the order, OCS reference number, Canada Post’s tracking number and the OCS corporate name and business address.

READ MORE: Ontarians fed up with cannabis delivery delays are complaining to the provincial ombudsman

However, information like the name of the person who made the order, delivery address, payment information and the contents of the order were not involved in the breach and was not affected.

Story continues below advertisement

Canada Post tells Global News in an email statement that they are pleased the OCS has notified their customers of the issue.

They said since the incident, both organizations have been working closely to investigate and resolve the issue, and important fixes have been put in place to prevent further unauthorized access to customer information.

“We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further,” said Canada Post in the statement.

Canada Post said they’ve also notified the Federal Privacy Commissioner about the breach.

READ MORE: Ontario Cannabis Store says it had 100,000 online sales in first 24 hours of legalization

According to a cybersecurity expert, while the demand for cannabis could be a reason for hacks, this particular incident might be a design flaw or mistake in the delivery tracking system.

“Normally, when systems like these are designed, in this case it seems to be a tracking system. They’re not designed with security in mind,” said David Masson, country manager for Darktrace, a cybersecurity company.

“People come up with a process and at the very end, decide to put some security in. You need to be doing this right at the beginning of the process, not at the end, because inevitably mistakes will be made.”

Story continues below advertisement

Masson said that there was a good chance a data breach for the OCS was predictable due to the current demand for cannabis online.

“With the new legislation that’s come out [on privacy data] companies like OCS and whoever will want to make sure third parties do understand that safeguards need to be in place to protect privacy information,” said Masson.

READ MORE: Who will sell legal marijuana in Ontario, and where? It’s no longer clear

“Whether that’s information just using or manipulating as part of the natural commercial processes – or in this case, being used to actually distribute the product.”

–With files from Sean O’Shea

The Ontario Cannabis Store sent out an email to customers notifying them of a Canada Post data breach that affected customers’ delivery information. Global News

Sponsored content